Gotham Security Daily Threat Alerts

March 23, Softpedia – (International) New point-of-sale malware PoSeidon exfiltrates card data to Russian domains. Security researchers from Cisco Systems’ Talos Security Intelligence and Research Group discovered that cybercriminals are using a new point-of-sale (PoS) malware family dubbed PoSeidon that infects systems via a binary file and uses a memory scraping technique to retrieve and clone Discover, American Express, MasterCard, and Visa card information before delivering it to command and control (C&C) servers in Russia. The malware contains routines to ensure persistence regardless of restart or user log-off. Source

March 23, Softpedia – (International) CryptoWall ransomware also adds infostealer to compromised systems. Security researchers at Trend Micro discovered that the latest version of the CryptoWall ransomware contains the Fareit infostealer which collects credentials from programs including email clients, Web browsers, file transfer protocol (FTP) clients, and digital currency wallets. The malware is delivered via an archived JavaScript attachment in an email claiming to deliver a resume that connects to command and control (C&C) servers to download JPG images as a ploy to bypass intrusion detection systems (IDS). Source

March 23, Help Net Security – (International) Cisco Small Business IP phones vulnerable to eavesdropping. Cisco Systems confirmed that its Small Business SPA 300 and 500 series IP phones with firmware version 7.5.5 or older, contain flaws in authentication settings that could allow attackers to listen in on phone audio streams or make calls remotely by sending crafted extensible markup language (XML) requests to the affected device. The company is reportedly working on a patch to address the vulnerability. Source

March 23, IDG News Service – (International) Fake patient data could have been uploaded through SAP medical app. SAP fixed two issues in the Electronic Medical Records (EMR) Unwired app that could have allowed attackers to potentially leverage an SQL injection flaw and configuration file vulnerability to access the embedded database and change medical records stored on the server. Source

March 23, Securityweek – (International) Dridex banking malware dodges detection with run-on-close macros. Security researchers at Proofpoint discovered that the Dridex banking malware is using run-on-close macros in infected Microsoft Office documents to avoid detection by malware sandboxes and antivirus software. The Dridex malware was previously linked to attacks targeting banking customers in the U.S., Canada, and the U.K. Source